Firewalls have bugs too. The real problem is bad incentives.
For IoT manufacturer a device which fails to work due to blocking is far worse than a security flaw. The first directly leads to chargebacks and bad reputation. The second leads to.. nothing.
So long as IPv4 exists, they have to at least use NAT, and their tracking is limited by IP pooling. But when we switch to IPv6 only, there's no good financial reason for devices to even have a 'deny all' stateful firewall.
It's more profitable to not bother with a firewall (just blame the client if he doesn't install a firewall to shield the device), than to deal with creating the right exceptions for firewall policy - even a single policy error would have a much stronger financial effect than opening up the device for the entire world.
For IoT manufacturer a device which fails to work due to blocking is far worse than a security flaw. The first directly leads to chargebacks and bad reputation. The second leads to.. nothing.
So long as IPv4 exists, they have to at least use NAT, and their tracking is limited by IP pooling. But when we switch to IPv6 only, there's no good financial reason for devices to even have a 'deny all' stateful firewall.
It's more profitable to not bother with a firewall (just blame the client if he doesn't install a firewall to shield the device), than to deal with creating the right exceptions for firewall policy - even a single policy error would have a much stronger financial effect than opening up the device for the entire world.